If I understand correctly, that means two invocations of PAM are actually used. But does that mean there is no way to handle users' expired passwords? Normally under dtlogin, if the account password is expired, they are prompted to change it when the auth module succeeds but the account module specifies that the account is expired. However, if there are two PAM invocations, the auth modules used by utnsclogin can't pass any information to the account modules in dtlogin-SunRay.
Thanks, William Yang > -----Original Message----- > From: [email protected] [mailto:sunray-users- > [email protected]] On Behalf Of Bob Doolittle > Sent: Wednesday, January 05, 2011 5:57 PM > To: SunRay-Users mailing list > Subject: Re: [SunRay-Users] PAM configuration on Solaris > > Slight mis-statement: > > On 01/05/11 17:16, Bob Doolittle wrote: > > utnsclogin doesn't need these, because it's not actually a Display > Manager - it doesn't manage displays/sessions. It only does authentication > and potentially redirection to the server hosting the token's session (if > a session already exists). > > In fact, NSCM utilizes two PAM services - utgulogin and utnsclogin. It's > utgulogin that does potential redirection, after acquiring the user's name. > Then utnsclogin is invoked, and it just does authentication. Together, > utgulogin and utnsclogin perform the function that a DM's greeter would > normally perform in part of its auth stack. > > -Bob > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
